Open Letter from the OLN to the WP29 and the European Parliament on the Privacy Shield

Paris, 7 April 2016 — The Privacy Shield, a framework for personal data transfers towards US-based companies, is currently under negotiation. This new agreement follows the invalidation of the Safe Harbor by the European Court of Justice (ECJ), who ruled that it did not uphold a substantially equivalent protection for personal data of people protected under European law, and suggested new measures to address it. Since the draft Privacy Shield does not take these measures into account, the resulting agreement is bound to reduce the fundamental rights of Europeans.

Following its signature by the European Commission in 2000, the Safe Harbor agreement2 was supposed to certify that transatlantic companies complied with data protection standards of similar effect as the European standards, despite the scepticism from the WP29 especially regarding US law. Edward Snowden's revelations in 20133 showed the world the scope of US surveillance using the Patriot Act, concerning data processed and hosted on their territory (or on foreign ground) by international companies.

Consequently, on the 6 October 2015, the ECJ has invalidated the Safe Harbor with its Schrems ruling4. This ruling set the basis for a new agreement, by laying down the minimum criteria that the Commission should follow.

Unfortunately, the new agreement's draft, called the Privacy Shield5, does not include all the guarantees deemed necessary by the ECJ. If signed as it is today, the agreement would jeopardise the protection of fundamental rights to data protection and to privacy, required by the Court of justice.

In particular, the ECJ highlighted the following points:

the need that such an agreement should foresee the "possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data"6. This possibility does not exist in the draft agreement, that bemoans the weakness of existing legal remedies7, or merely refers to some US laws allowing access requests for information from US federal agencies, without the possibility for rectification8. To address this lacuna, the draft agreement should at least lay down the specific conditions for national data protection authorities to suspend transfers9;

such possibility must be accompanied by "the existence of effective legal protection against interference"10. In theory, the draft Privacy Shield sets up a ombudsman in the US to deal with requests by European authorities investigating surveillance cases. But in practice, its independence has been called into question11 by the European Ombudsman12. Furthermore, the competences of the Ombudsman should not be limited to surveillance;

the Court's fundamental opposition to mass surveillance. The Court has also required that the soon-to-be agreement would not allow "public authorities to have access on a generalised basis to the content of electronic communications"13, nor the retention "on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States"14. However, the commitments made by the US refer to six15 purposes allowing them to keep on proceeding to the undiscriminated collection of data from users of services such as those provided by Google or Facebook. The Commission explicitly underlines in the draft of the agreement that access to collected data will be strictly limited to specific and legitimate national defence purposes16. However, this is not reflected at all in any law or political commitment made by the US.

The ECJ had invalidated the Safe Harbor, for it did not protect the data transferred to the US from Europe against American mass surveillance. But the European Commission is about to accept a new agreement that does not provide better protection of Europeans' personal data. Similarly, the European Commission refused to investigate the national security policies of Member States in terms of mass data collection, thus going against all decisions of the ECJ17.

Finally, the legal value of this text is only relative, and largely based on political promises that the up-coming presidential elections might sweep away18, as some MEPs pointed out during the expert hearing at the European Parliament of 17 March. Therefore, this agreement, that is not ratified by the US Congress, gives absolutely no guarantees to people whose personal data is being transferred to the US.

L'Observatoire des Libertés et du Numérique (OLN) supports the reservations made by the WP29 and the European Parliament, and calls to maintain the pressure on the European Commission in order to incite it to produce a legal analysis on the compliance of the draft with existing European legislation on data protection19. On this basis, the OLN calls for resuming negotiations with US authorities in order to properly examine the compliance of existing transfers.

This draft agreement is dangerous and does not live up to the standards of the protection of fundamental rights in Europe. As it is now, there is no doubt that the text would once again be challenged and invalidated by the ECJ, resulting in a legal instability that undermines trust in the digital economy. Going back to the negotiation table is hence crucial for the protection of our fundamental rights!

12. Indeed, Annex III of the draft Privacy Shield establishes the mandate of the Ombudsman, but does not include the obligation to inform the European authority whether the individual who requested the investigation is indeed under surveillance or not. By the same token, it does not include an obligation to inform the authority on how the violation against the natural person's privacy was ended, in case of illegal surveillance.

19. This analysis should be carried out in light of the "Safe Harbor" ruling (already mentioned), of the 1995 Directive on Data Protection, of the upcoming Regulation on Data Protection, and of the Charter of Fundamental Rights of the EU.